ProductsDesktop Server For Scientific Computing For IBM POWER For IBM System z For SAP Business Applications Red Hat Network Satellite ManagementExtended Update Support High Availability High Performance Network Load Balancer Resilient Storage Scalable File System Smart Management Extended Lifecycle SupportWeb Server Developer Studio Portfolio Edition JBoss Operations Network FuseSource Integration Products Web Framework Kit Application Platform Data Grid Portal Platform SOA Platform Business Rules Management System (BRMS) Data Services Platform Messaging JBoss Community or JBoss enterprise
SolutionsApplication development Business process management Enterprise application integration Interoperability Operational efficiency Security VirtualizationMigrate to Red Hat Enterprise Linux Systems management Upgrading to Red Hat Enterprise Linux JBoss Enterprise Middleware IBM AIX to Red Hat Enterprise Linux HP-UX to Red Hat Enterprise Linux Solaris to Red Hat Enterprise Linux UNIX to Red Hat Enterprise Linux Start a conversation with Red Hat Migration services
TrainingPopular and new courses JBoss Middleware Administration curriculum Core System Administration curriculum JBoss Middleware Development curriculum Advanced System Administration curriculum Linux Development curriculum Cloud Computing and Virtualization curriculum
ConsultingStandard Operating Environment (SOE) Strategic Migration Planning Service-oriented architecture (SOA) Enterprise Data Solutions Business Process Management
Red Hat and CVE compatibility
Q: What is the CVE project?
The Common Vulnerabilities and Exposures (CVE) project, maintained by The MITRE Corporation, is a list of standardized names for vulnerabilities and security exposures. Refer to http://cve.mitre.org for further information.
Q: What is Red Hat doing with the CVE project?
We believe that giving our users accurate and complete information about security issues is extremely important. By including CVE names when we discuss security issues in our services and products, we can help users cross-reference vulnerabilities so they spend less time investigating and categorizing security events.
Red Hat has a representative on the CVE Editorial Board and declared CVE compatibility in April 2002.
Q: Which Red Hat services use CVE names?
We have added CVE names to all Red Hat Security Advisories (RHSA) released since November 2001. These are found on our website, email notifications sent to our security mailing lists, and also on the Red Hat Network.
Red Hat has audited all security advisories since January 2000 and assigned or created CVE entries where appropriate.
Use the per CVE pages to find out information about a given CVE name.
Q: Why does the CVE website tell me a name you referenced is not found?
In many cases, the security issues our advisories address are not public knowledge prior to an advisory being released, and as such, do not already have assigned CVE names. For these situations, we work with MITRE to reserve the CVE names we need in advance; however, it can then take a short period of time for the CVE names to appear on the CVE website once the issues become public.
Q: What is the difference between a CVE entry and a candidate?
CVE candidates are those vulnerabilities or exposures under consideration for acceptance into CVE. Prior to the 19th October 2005, candidates were assigned names with the CAN- prefix to distinguish them from official CVE entries. The CAN- prefix was no longer used after the 19th October 2005, although it may be referenced in older Red Hat publications and advisories.
A CVE name is an encoding of the year the name was assigned in, and a unique number, N, for the Nth number of names assigned that year. For example, CVE-2002-0067 was assigned a unique number in 2002, and was the 67th name assigned that year.
Q: Who else uses CVE names?
Many organizations use CVE names as part of their security services. More details can be found on the CVE website. In January 2002, the National Institute of Standards and Technology (NIST) issued a draft recommendation that government organizations adopt CVE standard solutions throughout their security infrastructure.
We hope our commitment to the CVE project will encourage other open source vendors to become more actively engaged in this initiative.
Q: Where can I go to find more information?
Refer to the CVE website for information about the CVE project, naming, and various processes: http://cve.mitre.org.